Cyber Defense Initiative 2012

SANS Technology Institute Master's Presentation

Creating a Monthly Information Security Scorecard for CIO and CFO

Michael Hoehl

Thursday, December 13th, 7:15pm - 7:55pm

Summary:

Executives are increasingly interested in the state of information security for their organization. The media and press frequently report new methods of technology attack and how another organization has become a victim. Regulators and auditors, including PCI, GLBA, SOX, HIPAA, etc., are demanding more executive time and attention. Routinely communicating in a clear and concise manner with the CIO and CFO is necessary for today's information security leader. Determining what should be communicated and in what format can be a challenge. This presentation provides an approach for creating a Security Scorecard to routinely update the CFO and CIO regarding information security compliance, investment, and risk metrics. A cyclical, sustainable process for managing the Security Scorecard content is proposed--not a once and done endeavor that will become irrelevant over time

The GIAC GSLC Gold Paper is posted at http://www.sans.org/reading_room/whitepapers/leadership/creating-monthly-information-security-scorecard-cio-cfo_33588.

Benefits:

The Security Scorecard is an effective communication tool that can help organizations with risk management and strategic decision support. Benefits include:

ยท Improve security program

ยท Increase accountability

ยท Increase credibility

ยท Improve awareness

ยท Better resource investment and prioritization justification

BIO: Michael Hoehl has the sweet job of Global IT Security Officer and Director of Internal Controls for a global premium chocolatier. Michael has over 20 years of information technology and security experience. He has established security programs and developed teams in Health, Financial Services, and Manufacturing organizations. He completed his undergraduate studies at Lehigh University and is currently enrolled in the SANS Technology Institute (STI) Master of Science in Information Security Management program. He holds several certifications including CISA, CISSP, PMP, and GIAC GSLC, GCIH, GCIA, and GSNA.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.

Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.